Java反序列化漏洞
2022-09-18 20:15:46 1 举报ysoserial commons collections 全景图
作者其他创作
大纲/内容
命令执行
CC3_InstantiateTransformer
CC1_TransformedMap
TemplatesImpl.newTransformer()
PriorityQueue.readObject()
BadAttributeValueExpException.readObject()
TiedMapEntry.toString()
AbstractMapDecorator.equals
CC1_LazyMap
new TrAXFilter(templates)templates = instance of TemplatesImpl
AnnotationInvocationHandler.readObject()
ChainedTransformer.transform()
Hashtable.reconstitutionPut()
Runtime.getRuntime().exec()
TransformedMap.checkSetValue()
TemplatesImpl.defineTransletClasses()
Hashtable.readObject()
CC3_InvokerTransformer
AnnotationInvocationHandler.memberValues = lazyMapProxy
HashMap.readObject()key = tiedMapEntry
TemplatesImpl.getTransletInstance()
任意类加载
(1)可序列化(2)重写readObject方法(3)接受任意对象
TemplatesImpl.TranslateClassLoader.defineClass
LazyMap.equals()
AbstractMap.equals
InvokerTransformer.transform()
ClassLoader.defineClass() => class.newInstance()
InstantiateTransformer.transform()
Map.entry.setValue()
CC7
Proxy(handler).entrySet()handler.memberValues = instance of LazyMap
LazyMap.get()lazyMap.factory = chainedTransformer
CC4
TiedMapEntry.hashCode()tiedMapEntry.map = lazyMap
TransformingComparator.compare()
CC6
AnnotationInvocationHandler.invoke()
CC5
CC2
收藏
0 条评论
下一页
